Information security governance practices in critical infrastructure ...

Electron Markets (2013) 23:341–354 DOI 10.1007/s12525-013-0137-3

SPECIAL THEME

Information security governance practices in critical infrastructure organizations: A socio-technical and institutional logic perspective Susan P. Williams & Catherine A. Hardy & Janine A. Holgate Received: 15 October 2012 / Accepted: 19 June 2013 / Published online: 1 August 2013 # Institute of Information Management, University of St. Gallen 2013

Abstract Achieving a sustainable information protection capability within complex business, legal and technical environments is an integral part of supporting an organization’s strategic and compliance objectives. Despite a growing focus on information security governance (ISG) it remains underexplored requiring greater empirical scrutiny and more contextually attuned theorizing. This study adopts an interpretive case approach and uses analytical lenses drawing from sociotechnical systems and institutional logics to examine how ISG arrangements are framed and shaped in practice in fourteen Australian Critical Infrastructure Organizations. Our findings illustrate the heterogeneity and malleability of ISG across different organizations involving intra- and inter-organizational relationships and trust mechanisms. We identify the need to reframe ISG, adopting the new label information protection governance (IPG), to present a more multi-faceted view of information protection incorporating a richly layered set of social and technical aspects, that constitute and are constituted by governance arrangements. Keywords Information security governance . Information protection . Critical infrastructure . Interpretive case study . Institutional logics . Socio-technical systems Responsible editor: Ulrike E. Lechner S. P. Williams (*) Institute for Information Systems Research, University of KoblenzLandau, Universitätsstraße 1, 56070 Koblenz, Germany e-mail: [email protected] C. A. Hardy Discipline of Business Information Systems, University of Sydney, Sydney, NSW 2006, Australia e-mail: [email protected] J. A. Holgate Wipro Consulting Services, Wipro Technologies, Level 17, 201 Miller Street, North Sydney, Australia e-mail: [email protected]

Jel classification M15

Introduction The need for and purpose of information security governance (ISG) was identified more than a decade ago focusing attention on the criticality of information security as a business priority (Information Technology Governance Institute [ITGI] 2001). Ensuring the dependability and reliability in business operations and the integrity and availability of information whilst protecting enterprise information assets is critical in conducting global business (ITGI 2001) yet it is not without challenges. Whilst technical solutions are necessary, it is widely recognised that they are not sufficient in addressing information security challenges in complex and changing socio-technical environments (Holgate et al. 2012). Responding to these challenges requires a re-focus on information security from a technical and operational level concern to an enterprise-wide and strategic business led responsibility requiring the involvement of boards of directors, senior management and business process (ITGI 2001). Over the past decade, a number of models, standards, frameworks and guidelines for ISG have been developed by professional bodies representing the multiple stakeholders involved in implementing ISG. These include, for example: Information Security Governance, Guidance for Boards of Directors and Executive Management (ITGI 2001); Information Security Governance, Guidance for Information Security Managers (ITGI 2008); The Business Model for Information Security (Information Systems and Control Association [ISACA] 2010); Global Technology Audit Guide (GTAG®) 15 Information Security Governance (The Institute of Internal Auditors [IIA], 2010); COBIT® 5 for Information Security (ISACA 2012); and the recently issued International Standards Organization (ISO) standard ISO/IEC 27014:2013 Information technology—Security techniques- Governance of

342

information security (ISO 2013). However despite evidence that organizations are taking a more holistic and strategic view of information security, recent surveys have revealed large variations in governance practices (Gartner 2012), that no single ISG model, standard or framework is recognised or used universally (ITGI 2011, 30) and that Boards of Directors and senior management “are not exercising appropriate governance over the privacy and security of their digital assets” (Carnegie Mellon University CyLab 2012). In this paper we examine how variations in ISG arrangements arise, using the empirical context of Australian critical infrastructure organizations. Rather than engaging in debates about whether particular ISG models, standards or frameworks are more likely to be recognised or used universally, we propose instead to contribute to a greater understanding of how heterogeneity in organizational ISG arrangements are institutionally shaped and the socio-technical aspects of the adoption of particular kinds of practices. In doing so, several benefits are derived at a theoretical, empirical and practical level. Firstly, at a theoretical level ISG is currently expressed in terms of normative standards and prescriptive frameworks. This requires us to develop theory that looks beyond the newest ‘best practice’ to provide greater contextual understanding. Secondly, there are few in-depth case studies that examine the phenomenon of ISG in context. To date the limited empirical research in ISG consists mainly of surveys conducted in the USA, Canada and Europe. We address this limitation and present the findings of a multi-case study conducted in Australia. Thirdly, at a practical level, we provide greater understanding of how ISG is integrated in the organization. We examine how internal and external influences may provide insights into the affect on desired outcomes of IT investments (Johnston and Hale 2009) and planning ISG audits (IIA 2010), particularly if ‘best practice’ is implemented in a purely technical way. Finally, the choice of domain, critical infrastructure protection, is of national significance for the Australian and other national and regional governments (Holgate et al. 2012). The paper is structured as follows. The next section outlines the literature on ISG, incorporating the scope, concerns and perspectives of governance theory. This section establishes the need for a more theoretically based inquiry and greater empirical scrutiny. The second section outlines the conceptual underpinnings of the paper and the research aims. The third section presents the empirical research design and stresses an interpretive case study approach. The fourth section presents the empirical study and discussion of the case findings. In the discussion we identify the key institutional logics pertaining to ISG arrangements in each organization. Based on the analysis we discuss the implications in terms of how ISG is enacted in organizations. The final section considers the limitations of the study and conclusions.

S. Williams et al.

Examining the ISG literature Shift from technical to business logic: how information security became a governance concern Early research in information security adopted a technical focus on securing IT assets and provided only limited understanding of the social, organizational and human aspects of information security (Straub et al. 2008; Siponen and Willison 2007). To address this limitation a new stream of research adopting a process oriented, strategic and organizational wide view evolved. This research stream includes studies of organizational values in information security objectives (Dhillon and Torkzadeh 2006), outsourcing (Karyda et al. 2006), institutional influences of information security (Hu et al. 2007) and developing information security strategy (McFadzean et al. 2007). These socio-organizational studies also reveal the problematic nature of information security as a governance issue; a theme we develop further below. Meaning, scope and ISG approaches The ISG literature has evolved from a common set of practitioner concerns relating to changing threat and regulatory landscapes, organizational impacts of compromised information arising from security breaches, and the need for executive and board roles in information security and appropriate governance structures (e.g. ITGI 2006; DTT 2007). Notwithstanding these concerns, ISG remains poorly understood (Moulton and Coles 2003, 580) with limited theoretical and empirical research (Von Solms 2001; McFadzean et al. 2004, 2007). Various interpretations of the term “information security governance” (ISG) exist in the literature. For example, the IT Governance Institute (2006, 17) defines ISG as a “… subset of enterprise governance that provides strategic direction, ensures that objectives are achieved, manages risks appropriately, uses organizational resources responsibly, and monitors the success or failure of the enterprise security programme.” Allen (2005, 6) views “governing for enterprise security” (GES) as building on and expanding “commonly defined forms of governance” including enterprise, corporate and IT governance. Others recognise information security as a part of corporate and IT governance (von Solms 2005; von Solms and von Solms 2005; McFadzean et al. 2007; Johnston and Hale 2009) or include aspects of governance within information security management (Dutta and McCrohan 2002; Vermeulen and von Solms 2002; Fourie 2003; Caralli 2004; Warkentin and Johnston 2008). Thomson and Von Solms (2005) view information security as having an overlapping function with corporate governance and corporate culture and adopt the term “information security obedience” to reflect the relationship between all three fields. In summary, definitions of ISG are general in scope and combine information security with existing conceptions of

Information security governance practices

corporate and IT governance. Such views provide limited insight into the relationship between information security and governance, assume there are similar goals and are unclear about the governance roles and responsibilities of senior management and board members with respect to security concerns. This is made more problematic by the varying perspectives and relationships between different forms of governance and the broader strategic enterprise view of information security that may potentially involve multilevel and disparate systems, extend beyond organizational boundaries and involve multiple compliance mandates, in changing environments. Variety of ISG approaches and fragmented foci ISG approaches are predominantly presented in the literature as shaped by a risk management approach, normative standards and prescriptive frameworks. The dominant risk management (RM) approach (Straub and Welke 1998; Kokolakis et al. 2000; Schultz et al. 2001; Fulford and Doherty 2003; Tsoumas and Tryfonas 2004) views ISG in multiple ways, namely: integrated with RM processes (Allen 2005); a goal of RM (Straub and Welke 1998) and vice versa (ITGI 2006); constituting and constituted by RM (Posthumus and von Solms 2004); and the “assurance part” of the RM process (Coles and Moulton 2003, 491). Further, in response to earlier criticism of traditional risk approaches that focused on minimising threats and quantifying risks, more recent views have proposed expanding evaluation from IT risks alone to a more holistic assessment of the IT environment (Gerber and von Solms 2005, 16) and “extending” RM to aligning security with strategic drivers, such as the organization’s mission, goals and objectives to enable organizational resiliency (Caralli 2004; Allen 2005). Suggestions for improved governance of information security and a more holistic and less ad hoc approach (Caralli 2004; Allen 2005; ITGI 2006) have been put forth through “best practices” proposals in the form of normative standards and prescriptive frameworks (see for e.g. Posthumus and von Solms 2004; von Solms 2005; ITGI 2006; Da Veiga and Eloff 2007). Whilst such standards and frameworks may be useful references for organizations in establishing and evaluating ISG, there is little empirical evidence that provides insights into the adoption (or not) of “best practice” in organizational settings and institutional environments that may, for example, be tied to particular jurisdictions and legal traditions. A recent web based survey, conducted by Johnston and Hale (2009), revealed that amongst other things, legal requirements and government regulations were the most influential factors on decisions to implement an ISG program. Whilst this survey provides useful empirical insights, it is limited in that the respondents consisted solely of Certified Information Security Managers (CISM).

343

The ISG literature recognises information security as a governance issue. However, the subject matter is largely prescriptive and provides limited empirical guidance. The dominant view assumes some purposive action in the pursuit of common goals, provides limited understanding of the ISG process itself and reveals the need for developing theory in ISG to look beyond the newest “best practice” and provide contextually based understanding. ISG is variously represented as separate to, a part of, overlapping with or constituted by IT governance and corporate governance. In combining the terms information security and governance emphasis is placed on how information security relates to corporate and/or IT governance with limited attention given to how governance may affect information security.

Theoretical underpinnings: socio-technical and institutional logics perspectives Combining the two concepts of information security and governance has resulted in the grouping of many heterogeneous elements in the literature without exploration of how social and technical elements interact (Holgate et al. 2012) pointing to two key issues. Firstly, as revealed in the previous sections, the ISG literature is heavily populated with descriptive and prescriptive frameworks. The role that such frameworks play in governing the protection of IT and information assets in organizations and the way that they are enacted in practice remains under-explored. Secondly, whilst attention is drawn to the need to widen the analytic focus from a technical to “socio-organizational” perspective, it remains unclear in the literature as to what the term ‘socio’ in socioorganizational stands for with varying interpretations. For example, it has been identified as an investigation grounded in an interpretive paradigm to assist in understanding the social and organizational, used interchangeably with the term socio-technical, and had a neo-institutional theoretical approach applied to highlight the influence of institutional factors on organizational actions and behaviours relating to information security (Holgate et al. 2012). The socio-organisational view conveyed in the literature does not give sufficient consideration to the “material constraints and affordances of technologies” (Orlikowski and Barley 2001, p. 152) and provides limited attention to how social and technical elements are linked. We argue that a socio-technical systems (STS) perspective may assist in bridging these bodies of literature There are multiple and disparate views relating to a STS perspective (Majchrzak and Borys 2001, 219; Griffith and Dougherty 2002, 213). In the context of this paper it is viewed broadly as a set of theoretical principles that provide insights into the reciprocally constitutive nature of social and technical systems (Orlikowski and Barley 2001, 148).

344

By bringing this perspective to our investigation insights may be gained into the social, psychological, environmental and technical factors that are likely to play a role in shaping ISG arrangements, rather than simply a single practice or technique (Holgate et al. 2012), as well as highlight differences in ISG arrangements constructed around different technologies. Further, using the STS perspective, the normative standards and frameworks that are heavily represented in the literature may be viewed, as suggested more broadly by Griffith and Dougherty (Griffith and Dougherty 2002, 205), as codified specifications that may indicate the purpose and arrangements of social and technical components and their relationship in information security. We ground this view in social constructionism ideals. Complementing the STS perspective is an institutional theory view and in particular an institutional logics perspective (see Thornton et al. 2012 for a detailed review). We do so for two reasons. Firstly, an institutional view has been central to corporate governance studies over the past decade (see for e.g. Fiss 2008) and recognised in the IT governance (see for e.g. Xue et al. 2008) and information security (Hu et al. 2007) literature. Secondly, whilst the STS tradition emphasises the integral role of the social in constituting material objects it is limited in assuming that “people’s everyday thinking and acting is affected by their socio-cultural milieux” (Griffith and Dougherty 2002, 212). The institutional logics concept has been central to recent developments in institutional theory emphasising the cultural-cognitive elements in institutions, amongst other things (Greenwood et al. 2008). There are various definitions of institutional logics. One that is widely cited and adopted in this paper is: “the socially constructed, historical patterns of material practices, assumptions, values, beliefs, and rules by which individuals produce and reproduce their material subsistence, organize time and space, and provide meaning to their social reality.” (Thornton and Ocasio 1999 cf Thornton and Ocasio 2008, 101) A common theme across the range of definitions, whilst varying in emphasis, is that “to understand individual and organizational behaviour, it must be located in a social and institutional context, and this institutional context both regularizes behavior and provides opportunity for agency and change” (Thornton and Ocasio 2008, 101–102). Further a key assumption of an institutional logics perspective is that institutions have both cultural and material characteristics and so development and change occurs through the “interplay between both of these forces” (Thornton and Ocasio 2008, 105). For example, economic markets are typically not considered part of the “cultural sphere”, yet are shaped by culture and social structure as well “structures of power, status and domination” (Granovetter 1985 cf Thornton and Ocasio 2008, 105).

S. Williams et al.

The institutional logics approach operates at different levels of analysis, for example, organisations, markets, industries and organisational fields (Thornton and Ocasio 2008, 106) and so may be informative for theorising ISG arrangements in critical infrastructure organisations. Further, whilst prescriptive frameworks may inform the adoption and diffusion of ISG practices, their enactment may take a variety of forms. The institutional logics perspective does not treat diffusing practices, such as professional ISG frameworks, as some sort of homogeneous entity. Rather, it would view such frameworks as coming with explicit and implicit theories requiring “a considerable amount of interpretive work” to “integrate these theories into pre-existing organisational frameworks [such as corporate, IT or security frameworks] and “world views” [of for example directors and C suite level managers] (Fiss 2008, 395). That is, multiple institutional logics may present different interpretive frames to actors and thereby shape ISG as well as be shaped by ISG practices. In doing so, attention is directed at variations in practice. Finally, material elements of the institutional logics concept have strong associations with elements of the socio-technical view such as technologies and standards. By bringing the institutional logics perspective together with the socio-technical view we deepen the analysis in terms of how technologies enable and constrain social action with respect to ISG and in doing so, “grapple with the materiality and technology” that Pinch (2008) identifies as “impoverished” in institutional analysis. Therefore, we articulate our research question as follows, How are ISG arrangements framed and shaped in Australian Critical Infrastructure Organizations?

Research approach Our research question seeks to examine the extent to which similarities and differences in institutional environments can subject organizations to multiple, competing and even contradictory arrangements for ISG. As discussed above, we explicitly recognize the socio-technical nature of ISG and in doing so we move away from the question of what ISG is, to questioning how ISG arrangements are shaped and institutionalized in organizations that are themselves embedded in complex, changing socio-technical contexts. To this end we adopt an interpretive case study research design and data collection and analysis methods. Walsham (1993) argues that the most appropriate vehicle for interpretive empirical studies such as ours, is the in-depth case study, a research strategy that aims to understand the dynamics existing within single settings (Eisenhardt 1989, 534), and which, if carried out appropriately, can make valuable contributions to both IS practice and theory. Case study research in the interpretivist tradition explicitly includes investigation of the context of


the phenomenon being studied (Cavaye 1996). Such an approach allows for the study of the phenomenon of ISG in a natural setting, to comprehend the intricacy and nature of ISG processes in the field, and hence to extend or generate theory from reality. In addition, it serves as an appropriate methodology for conducting research in a field of study where little previous research has been undertaken, and where the boundaries of the ISG phenomenon are not clearly evident at the outset of the research. Data collection Eisenhardt (1989) and Seidman (1998) suggest that researchers investigating multiple case studies should choose sites that produce enough variation in the theoretical variables of interest. To this end, theoretical sampling was used to highlight variations in the phenomenon, to ensure density and allow flexibility in order to draw out the largest theoretical return. Thus, our data collection strategy was highly purposive. All the companies included in the study are Australian critical infrastructure organizations. Critical infrastructure comprises the physical and cyber-based systems necessary for the efficient operation of economies and governments. In Australia, the following sectors are deemed to be critical infrastructure—energy, utilities, transport, communications, health, food supply, finance, government services, national icons, and manufacturing (Attorney General’s Department 2010). We selected organizations from a range of these industries and from both the public and private sectors in order to draw out contextual variations. The final sample comprises 14 organizations, six private companies and eight public companies. Further, only those companies that deem their ISG practices to be effective were selected. Hence, only ISG practices, strategies and designs from companies that have been successful to date in the realm of enterprise information security, are considered appropriate for inclusion in the sample. Summary demographics of the selected case study sites and the key informants are provided in Table 1. All company names have been anonymized to meet our research ethics protocol. Semi-structured interviews were conducted to collect primary data from 23 respondents (including Chief Executive Officers, Chief Information Officers and other senior officers) at the 14 case study sites. The interviews were digitally recorded and transcribed into text files for analysis. Secondary archival and documentary data comprising 269 documents provided by the participants and publicly available information was gathered and analysed to complement and extend the primary data. Data analysis A mixed data analysis approach comprising content analysis, thematic analysis and comparative analysis was adopted to

345

identify key themes and understand the relationships between them (Miles and Huberman 1994; Saldaña 2009). This involved a process of analyzing the data using codes and memos, reducing information via themes, and relating code categories. Within-case comparisons using coding techniques served as the basis for developing 14 individual organizational case studies, and cross-case comparison allowed for the identification of similarities and differences between cases. Detailed descriptions of each case are found in Holgate (2007). The first phase of data analysis was structured around understanding the socio-spatial arrangements for ISG in terms of drivers, ownership and locus of ISG. The results of this analysis are published separately in Holgate et al. (2012). In this paper we extend the results to the second phase of data analysis where thematic coding and comparative analysis were used to reveal key empirical themes, that is, the internal and external influences shaping ISG in organizations.

Case study discussion and findings Varying and shifting arrangements of ISG were identified in the case studies. These have been summarised as seven key themes/ISG arrangements. Table 2 presents these separate but related empirical findings and provides a brief summary of how they reinforce and extend current theorisations of ISG in the literature. We discuss each of the seven key empirical themes and their meaning in the context of the case study organizations below. i. A dynamic, flexible, ongoing phenomenon The findings show that not only is the meaning of ISG fluid, but that ISG arrangements in practice are dynamic and flexible because of ongoing socio-technical change. Some cases such as Best Practice, have an ISG model in place that has garnered external recognition whilst, in contrast, Start-Up had not developed an ISG model and initiatives appeared to be ad hoc and minimal. Notwithstanding the level of maturity with ISG, all of the cases were aware of its necessity, given the dynamic nature of cyber threats. According to the GM of Advantage: “…So in the security game it is just constant warfare, constantly investing in new hardware, new software, new systems. The process is not static at all, that’s what the misconception is, but our processes are constantly being updated because security is more of a day to day warfare.” The case organizations have been confronted by technical and institutional influences, which we have classified and represented in Fig. 1 as Legislation/Cyber Threat, Business Continuity and Strategic Differentiation.

346

S. Williams et al.

Table 1 Case sites and key informant summary Company

Description

No. of employees Revenue

Advantage

Integrated IT and telecommunications carrier, Australian and Asia Pacific

380

Bank Best practice Co Consultant Differentiator Distributor Energy

Bank-Australia Retail water utility. State owned Global provider of professional services Information management company Electricity transmission provider. State owned. Electricity generator. State owned.

Electrical Electricity

Retail/distribution electricity company. State owned. 984 Retail/distribution electricity company. State owned. 2176

Healthy

Health insurer

1100

Retail gas Start-up Water

Retail market administrator, virtual company. Newly formed, emergent gas production company Electricity generator. State owned.

2 80+ contractors 870

Virtual

Retail market administrator, virtual company.

1

357 3724 (Aus) 600 (Aus) 974 363

Key informants

$228 m

CEO/Director, GM Data & Security, Security Practice Mgr (+interim Info Security Officer) $346.4 m Chief GM IT (CIO equivalent) $356.8 m GM Finance/Company Secretary, CIO $676 m (Aus) CIO Oceania $196.6 m CFO $452.6 m CIO $579 m MD/Director, IT/Communications Mgr, Risk Mgr. $663 m CEO/Director, CIO, Non-exec director $1.3b GM Regulatory & Corporate Affairs (including IT responsibility) $1.9b Group Executive (BU) (former CFO and acting CEO) n/a CEO $6 m COO, Executive Chairman $439.8 m CEO/Director, GM Corporate (including IT responsibility) n/a CEO

CEO chief executive officer COO chief operating officer GM general manager CIO chief information officer CFO chief financial officer MD managing director Mgr manager

Table 2 Summary of empirical themes: ISG arrangements Themes: ISG arrangements

Findings reinforcing and extending current thinking

Findings providing new insights

i. Dynamic, flexible, ongoing phenomenon

Emergent phenomenon institutionalised and taken-for-granted necessity

ii. Enterprise-wide phenomenon

Intangible asset, technology, people, process and infrastructure protection. Executive responsibility

Heterogeneous ISG models developed and implemented for homogeneous outcomes. Contextually sensitive with creation of own “best practice” institutional ethos and strategy Third-party protection

Directing and controlling focus

iii. Own Entity

iv. Extends beyond traditional organizational boundaries v. Trust: intra- and inter-organizational vi. Integrated internally and externally vii. Multiple strata

Essential outcome of ISG and integral governance mechanism Essential outcome of ISG and integral governance mechanism Strategic level focus

Extends to end-users IT function primary responsibility still Planning and organizing focus also. Merging of “governance” and “management” practices Institutionalised as own entity Not a sub-set of IT governance. Integrated with IT and corporate governance Extended virtual ISG enterprises – collaborative ISG networks of actors and activities legitimated At heart of relationship governance. At heart of relationship governance. Embedded in extant processes. Tactical level and relationship governance component focus.


All the cases were subjected to coercive regulatory pressures imposed by the Australian Federal and State governments and have been subjected to cyber threats. Technological pressures also extended to infrastructural requirements, with complex security arrangements. For example, the cases involved in either the generation, distribution or selling of electricity or gas, must all maintain mandatory interfaces with the National Electricity Market Management Company’s (NEMMCO—a national regulator) systems in order to be able to operate in the National Electricity Market (NEM). Not surprisingly, the primary motivation for instituting ISG in most cases was to protect themselves from non-compliance and heightened cyber threats they were facing, as well as to alleviate concomitant business continuity pressures in the event of breaches. Advantage and Differentiator were the only cases that were also influenced by the need for strategic differentiation and competitive advantage. In these two cases the security logic was not only an operational necessity but also a core competency. Responses to these institutional and technical influences were varied. For example, the adoption of “best practice” frameworks and standards from professional bodies was mixed and partial, with only the ISO 17799 (now known as ISO 27002) and its Australian equivalent AS/NZS 27001 and 27002) adopted completely in four of the cases (see Holgate et al. 2012 for detail). To some degree this represents institutional decoupling in that the normative elements (e.g. aims and objectives) of ISG frameworks and standards are adopted but the operational elements are less likely to be implemented because of a variety of pressures in institutional environments stemming from multiple institutional logics. For example, Consultant’s ISG arrangements were in response to its global parent company’s mandate. Fig. 1 Drivers of ISG arrangements

347

ii. Enterprise-wide phenomenon ISG is practised enterprise-wide in terms of scope and ownership. ISG has transformed from a technical logic to an organizational, enterprise-wide concern focusing on protecting both tangible and intangible enterprise assets, including information. In addition to the technical emphasis, which addresses hardware, software and infrastructure, there is also a focus on collaborative extended enterprises comprising processes, business units, people and relationships with suppliers, partners and customers. Hence ISG also extends to third parties. Ownership of ISG was found in both the IT and business executive. These findings highlight a different view from the widespread calls in the literature for more direct Board responsibility. Whilst Boards may maintain a high level oversight, ISG leadership, management and control have been delegated to the Executive in all cases. In addition, the findings also revealed that whilst the Executive and Board are primarily responsible, lower levels within the organization as well as third parties are involved in the tactical arenas of ISG, which we discuss further below. We believe that this widening of the scope of ISG in terms of ownership, the extended enterprise and the multiple processes and relationships requires a reframing of ISG towards what might better be termed information protection governance (IPG) in order to provide a more holistic, contextual and integrated view. iii. An entity in its own right The findings revealed variation in terms of the locus of ISG in relation to IT governance and corporate governance. That is, ISG was represented as being implicit in IT governance, implicit in corporate governance only and as a function in its own right (see Holgate, et al. 2012). Eight of the fourteen cases had a specific

348

S. Williams et al.

governance framework of some kind to govern information security initiatives regardless of whether ISG was undertaken separately in its own right or as part of a wider governance program. iv. Extended virtual ISG enterprises The findings show that various actors, and groups of actors, have joined to form internally collaborative, rather than competitive networks, or relational systems. Hence ISG extends beyond traditional organizational boundaries to include external partners. Boundaries delineating organizations and the governance activities and employees therein, have blurred and shifted to encompass elements of other organizations, and new networks of activities and actors have become legitimate. We have labelled these network organizations ‘virtual ISG enterprises’ and depict an example showing their extra organisational and distributed nature in Fig. 2. These virtual ISG enterprises are fluid in structure, with the boundaries changing as the ISG needs of the core enterprises, with which various partners engage, change. The extended enterprises are both an antecedent to and/or the outcome of respective ISG strategies. The

Fig. 2 Example of an extended virtual ISG enterprise

core organizations have thus initiated the formation of agile virtual organizations, which comprise a dynamic assembly of core competencies, the mix of which alters in response to environmental changes. Membership, acceptable behavior standards and the relationships between the core organization and each service-providing partner, are defined primarily by the core organization, and negotiated predominantly according to its needs as the purchaser of services. v. Reliance on trust: intra- and inter-organizational ISG arrangements emerging from the case organizations highlight a shift toward trust relations, whilst still retaining some vestige of power elements, in the form of governing service level agreements for example, as a driver of behaviour. Parties rely on both trust and power, in varying amalgamations, as institutional mechanisms to guide appropriate specified enterprise information security behaviours in all aspects of business. At the intra-organizational level, there is a degree of delegation of trust evident, in the sense of reliance on doing the correct thing in an honest manner, implicit in this extension, as measurement of user information security behaviour has typically been problematic. For


example, according to the non-executive director of Electrical: “I think there is probably a greater degree of trust in areas where they’re not comfortable, so they do trust the Executive to a greater extent in IT things.” Trust was also interpreted as an intra-organizational dependability, with the terms “rely” and “reliance” regularly used by interviewees. In some instances, the delegation of responsibility within organizations was considered not entirely appropriate. For example, a non-executive director of Electrical indicated that whilst she and fellow directors did not feel pressured by increasing enterprise information security legislation, as the Board “trusts” the Executive to monitor the company’s “compliance with new regulations and whatever else” and act accordingly, she saw reliance on the Executive as potentially problematic and something which should be changed. At an inter-organizational level, the case organizations have largely entered into extended virtual ISG arrangements as described above. These networks exhibit patterns of trust and relationships geared toward appropriate information use behaviour. For example, Retail Gas, a virtual company, which governs the retail gas market for two States, views an element of trust between the members as essential for protecting information. According to the CEO, this is a reciprocal trust whereby the members in turn trust Retail Gas to ensure that its own systems are governed by appropriate mechanisms. vi. An integrated phenomenon The relationship between corporate governance, IT governance and ISG is presented in varying ways in the literature, with a predominant view of ISG being a subsystem of IT governance. The empirical findings in our study suggest that there is no particular relationship model between these types of governance that is superior to any other. They also imply that the locus of ISG in relation to other corporate governance models is not important, provided they are integrated as depicted in Fig. 3. That is, ISG is integrated with both corporate governance and IT governance initiatives; and enterprise information security strategy is integrated with business and IT strategies. For example, at Consultant, all of the company policies have aspects of security embedded in them – the way the company deals with its clients, the way it exchanges information, and the way it stores it. The company thus seeks to embed its IT governance and ISG with others in the organizations, such as strategic policies and external corporate governance standards. Various strategies have

349

been employed in each case organization to achieve such internal integration. For example, at Water ISG processes have been progressively embedded within normal business operational processes through an integrated system for risk management. From an external perspective, the emphasis on critical infrastructure protection has become a focus of all the case organizations which aim to proactively track and respond to emerging technological and regulatory issues and cyber threats by evolving their systems architectures and technology defence mechanisms. This has led many of the case organizations to consort with critical infrastructure security groups comprising similar organizations, and similar technical and institutional influences, and to integrate outcomes from such forums within their own ISG strategies. The cases have also adopted a strategy where possible, of integrating their ISG efforts with those of relevant external parties in order to achieve enterprise information security effectiveness. For example, the company secretary of Electrical participates in Energy Supply Association of Australia disaster recovery and security reviews of terrorist threats. These are broad critical infrastructure protection initiatives that include IT. Further, the company’s systems are integrated with NEMMCO systems to allow energy trading and must adhere to NEMMCO’s security standards. vii. A phenomenon that exists at multiple strata: strategic, tactical, relational ISG emerged from the findings with strategic, tactical and relationship dimensions. These management dimensions and ownership of strategic and tactical governance are illustrated in Fig. 4, Strategic ISG endeavours were concerned with development decisions and their review. They incorporate the planning, organizing and control of ISG strategy, objectives, ethos, critical success factors, structure, processes and system decisions. Hence strategic ISG focused on creating the environment which formed the basis of tactical ISG. At a strategic level, new ISG logics, such as Best Practice Co’s Enterprise Security Framework, Healthy’s IT Security Governance Framework and Electricity’s E-Commerce Fraud Strategy have served to institutionalise the process of ISG change. In addition, prevailing logics such as Start-Up’s Risk Management Plan, Distributor’s State Disaster Plan, and Consultant’s Global Policies and Practices were also influential. All of the cases regard ISG as a tactical endeavour. Tactical ISG concerns implementation decisions, their review and the oversight of ISG implementation activity. This covers the organization, control and direction of ISG strategy, objectives, ethos, critical success factors, structure, process and systems implementations. Whilst

350

S. Williams et al.

Fig. 3 Continuous alignment of corporate, IT and information security governance and strategy development

BUSINESS DOMAIN Enterprise operations, infrastructure and processes Enterprise Strategy

N

er a an tion d s, pr in IT o f DO cess rastr es uc M tu AI re

op IT

I AT RM

FO

IT

n ti o ec y ot eg t pr e n nc , tra s io a N ns at ern io on AI i t at s rm v r M e ec fo go pe ss ot In o DO pr ce n N n io ro t p io IO ec d at ot n rm CT pr e a fo r n TE In i o tu O at ruc rm st PR fo fra N in O In

IN

Fig. 4 Strategic and Tactical Components of ISG

Information protection governance integration

go ve rn an IT ce st ra te gy

Corporate governance


there was wide variation evident in the ISG processes, this resulted in a relatively homogeneous outcome, that is, effective ISG. Underpinning both strategic and tactical ISG in each of the case organizations was relationship governance. As shown in Fig. 5, ISG steers relationships between core organizations and their partner entities, information security strategy, and business and IT strategy, governance imperatives and enterprise information security strategy, the IT function and the remaining components of the organization, and between existing business functions and processes and ISG processes. At the core of its ability to steer such relationships lay the practices of trust and integration.

Implications for research and practice Given the increasing attention that security breaches have received, the results of our study and the conclusions derived have both theoretical and practical meaning. The study set out to examine how ISG arrangements are framed and shaped in Australian Critical Infrastructure Organizations. The implications for research and practice and the conclusions of our study are as follows.

351

universal triggers for decision makers but are institutionally contingent. This suggests that the confluence of multiple institutional forces across organizations (e.g. intra-organizational relations), fields (for e.g. critical infrastructure), industries (e.g. energy, water, ICT) and countries (e.g. BS 7799 and AS/NZS 17799) may result in variation and heterogeneity rather than homogeneous arrangements of ISG. For example, the protection of information was a core competency of Advantage and Differentiator and viewed as a strategic differentiator in contrast to the remaining cases. Both organizations had recently transformed existing networks in terms of moving from supplier customer type relationships to strategic partners in the delivery of security host services and business intelligence respectively, pointing to different kinds of rationality. In addition, the development and shifts in governance arrangements may ultimately depend on the power of actors that make such decisions in organizations. Further research is required to gain a deeper understanding of the mix of defensive, protective and enabling foci adopted in practice and the different political arenas in which different actors are engaged in designing the goals for ISG. In addition, an examination of the events leading up to and processes involved in the institutionalisation and de-institutionalisation of ISG is needed to progress understanding of socio-technical change surrounding ISG in organizations.

Heterogeneous and malleable arrangements of ISG The multiplicity of institutional logics in ISG This study reveals diverse ISG approaches in the field and shows that ISG arrangements vary widely, despite the evidence of some isomorphism. Conformance and performance objectives, that is, meeting compliance requirements and improving effectiveness for ISG, were not found to be Fig. 5 Information Protection Relationship Governance

At the field level organizations were formed around the issue of critical infrastructure, as well as in some cases, but not all, similar products and markets. However, ISG in each case organization was found to be a mix of laws, regulations,

352

material practices and strategic imperatives. These findings support claims in the institutional logics literature (see for e.g. Thornton et al. 2012, 175) about how institutional complexity can subject organizations to multiple, competing and contradictory logics. Connecting the activities of people and organizations that are informed by and embedded in these multiple logics requires further research. Further, understanding of how critical infrastructure organizations are involved in “both horizontal (cooperative and competitive) and vertical (power and authority) connections” highlights the need, as identified by Scott (2008, 441–442) more broadly to “shift the analytic focus from individual organizations to higher levels of analysis.” This not only presents opportunities for future directions in exploring ISG but also presents key challenges in the design of such research. Institutional possibilities, extended governance and institutional entrepreneurs Whilst the Board members and senior level management have leading roles, the findings point to other significant actors such as outsourcing partners and lower level management. Hence the ownership of ISG was not necessarily based on single autonomous organizations. Rather, ISG appeared to be accomplished by interactions and multilateral relationships within and across organizational boundaries, contingent upon varying institutional possibilities. This suggests that single organizations may not be equipped to deal with the complexity associated with ISG requiring networked type governance arrangements with shared accountabilities. It further raises the issue that whilst normative institutions of ISG, such as professional frameworks, may shape the nature of change and structures across different contexts, they themselves may also change in character over time based on the meanings ascribed to ISG and situated actions in local contexts. Hence attention needs to be directed towards not only structures but also the actions of individuals engaged in steering ISG. While the institutionalisation of ISG was revealed as a dynamic multi-level process, further work is required to understand the negotiated character of ISG over time. There is considerable potential for tensions in extended governance arrangements arising from multiple stakeholders situated within different institutional regimes and fields incorporating social and technical change. Further, the role of professional agents, standard setters and third party providers may provide insights into the emergence of inter-organizational structures and political processes in developing governance arrangements and further progress the concept of institutional entrepreneurship. Need for an information protection logic The limited number of perspectives and theoretical development in ISG has resulted in conceptual ambiguities and

S. Williams et al.

contradictions, specifically with regard to the concept of information itself. The protection of the information asset itself was identified as a core competency and strategic imperative in both the Advantage and Differentiator cases. The conflation of the concept of information with technology (Pinch 2008, 467) and in turn security (Straub et al. 2008, 6) has taken on a limited meaning associated with particular devices such as computers, internet, mobile phones and databases. More attention needs to be directed towards exploring the interdisciplinary terrain of information protection and probing theoretical ambiguities, to clarify and advance current thinking. We identify the need to reframe ISG, adopting the new label information protection governance (IPG), to present a more multifaceted view of information protection incorporating a richly layered set of social and technical aspects that constitute and are constituted by governance arrangements. Understanding the material and social dimensions of information protection has the potential for surfacing new meaning in terms of, for example, the prospective and retrospective classification of information for governance, compliance and risk management thereby enriching strategies for practitioners.

Limitations and conclusion In this study we have used a socio-technical and institutional logic perspective to explore practice variations of ISG in Australian critical infrastructure organizations. We found that ISG is a socio-technical, emergent and situated practice and revealed institutional sources of variations in practice. Whilst there are limitations in terms of the case studies solely representing critical infrastructure organizations in an Australian context, the extended theoretical view offered assists in developing a richer theory for ISG, which reveals not only the complexity in making information security governable but also the problematic nature of how it is governed. We hope that the analysis presented in this paper may serve to stimulate further interest in ISG and the protection of information more broadly.

References Allen, J.H. (2005). Governing for enterprise security Technical Note CMU/SEI-2005-TN-023. PA: The Software Engineering Institute, CERT® Carnegie Mellon University. Attorney General’s Department (AGD) (2010). Critical infrastructure resilience strategy. Australian Government Attorney General’s Department. Commonwealth of Australia: Barton, ACT Caralli, R.A. (2004). Managing for enterprise security Technical Note: CMU/SEI-2004-TN-046. The Software Engineering Institute, Carnegie Mellon University Carnegie Mellon CyLab. (2012). Governance of enterprise security: CyLab 2012 Report. RSA: Jody R Westby.

Information security governance practices Cavaye, A. L. M. (1996). Case study research: a multi-faceted research approach for IS. Information Systems Journal, 6, 227–242. Coles, R. S., & Moulton, R. (2003). Operationalizing IT risk management. Computers & Security, 22(6), 487–493. Da Veiga, A., & Eloff, J. H. P. (2007). An information security governance framework. Information Systems Management, 24, 361–372. Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. Information Systems Journal, 16, 293–314. Deloitte Touche Tohmatsu (DTT). (2007). Global Security Survey The shifting security paradigm. USA: DTT. Dutta, A., & McCrohan, K. (2002). Management’s role in information security in a cyber economy. California Management Review, 45 (1), 67–87. Eisenhardt, K. M. (1989). Building theories from case study research. Academy of Management Review, 14(4), 532–550. Fiss, P. C. (2008). Institutions and corporate governance. In R. Greenwood, C. Oliver, K. Sahlin, & R. Suddaby (Eds.), The SAGE handbook of organizational institutionalism (pp. 389–410). London: SAGE Publications Ltd. Fourie, L. C. H. (2003). The management of information security - A South African case study. South African Journal of Business Management, 34(2), 19–29. Fulford, H., & Doherty, N. F. (2003). The application of information security policies in large UK-based organizations: an exploratory investigation. Information Management & Computer Security, 11 (3), 106–114. Gartner. (2012). Survey analysis: Information security governance, 2012. Gartner: Tom Scholtz. Gerber, M., & von Solms, R. (2005). Management of risk in the information age. Computers & Security, 24(1), 16–30. Granovetter, M. (1985). Economic action and social structure: the problem of embeddedness. American Journal of Sociology, 91, 481–510. Greenwood, R., Oliver, C., Sahlin, K., & Suddaby, R. (2008). Introduction. In R. Greenwood, C. Oliver, K. Sahlin, & R. Suddaby (Eds.), The SAGE handbook of organizational institutionalism (pp. 1–46). London: SAGE Publications Ltd. Griffith, T., & Dougherty, D. J. (2002). Beyond socio-technical systems: introduction to the special issue. Journal of Engineering and Technology Management, 19(2), 205–216. Holgate, J.A. (2007). Governance arrangements for enterprise information protection: an Australian critical infrastructure perspective. (Doctoral Thesis, University of Sydney) Holgate J.A., Williams S.P. and Hardy C.A. (2012). ‘Information Security Governance: Investigating Diversity in Critical Infrastructure Organizations (Awarded ‘Bled Theme Outstanding Paper’), Proceedings of the 25th Bled eConference 2012, Bled, Slovenia, 20th June 2012. Hu, Q., Hart, P., & Cooke, D. (2007). The role of external and internal influences on information systems security—a neo-institutional perspective. The Journal of Strategic Information Systems, 16, 153–172. Information Systems and Control Association®. (2010). The business model for information security ISACA® Rolling Meadows, IL USA: Rolf M. von Roessing Information Systems and Control Association®. (2012). COBIT® 5 for Information Security, ISACA®. IL: Rolling Meadows. Information Technology Governance Institute™. (2001). Information security governance: guidance for boards of directors and executive management. Information Systems Audit and Control Foundation™ (ISACF). Rolling Meadows, IL, USA: ITGI™. Information Technology Governance Institute™. (2008). Information security governance: Guidance for information security managers ITGI™. Rolling Meadows: W. Krag Brotby.

353 Information Technology Governance Institute™. (2011). Global Status Report on the Governance of Enterprise (GEIT)-2011. International Organization for Standardization (ISO). (2013). ISO/IEC 27014:2013 Information technology—Security techniques— Governance of information security. Rolling Meadows: ITGI™. IT Governance Institute (ITGI). (2006). Board briefing on IT governance (2nd ed.). IL: ITGI Rolling Meadows. Johnston, A., & Hale, R. (2009). Improved security through information security governance. Communications of the ACM, 52(1), 126–129. Karyda, M., Mitrou, E., & Quirchmayr, G. (2006). A framework for outsourcing IS/IT security services. Information Management & Computer Security, 14(5), 402–415. Kokolakis, S. A., Demopoulos, A. J., & Kiountouzis, E. A. (2000). The use of business process modelling in information systems security analysis and design. Information Management & Computer Security, 8(3), 107–116. Majchrzak, A., & Borys, B. (2001). Generating testable socio-technical systems theory. Journal of Engineering and Technology Management, 18, 219–240. McFadzean, E., Ezingeard, J.-N., & Birchall, D. (2004). Anchoring information security governance research: sociological groundings and future directions. Proceedings of the Third Security Conference, Las Vegas. McFadzean, E., Ezingeard, J.-N., & Birchall, D. (2007). Perception of risk and the strategic impact of existing IT on information security strategy at board level. Online Information Review, 31(5), 622–650. Miles, M. B., & Huberman, A. M. (1994). Qualitative data analysis: an expanded sourcebook (2nd ed.). Thousand Oaks: SAGE Publications, Inc. Moulton, R., & Coles, R. S. (2003). Applying information security governance. Computers & Security, 22(7), 580–584. Orlikowski, W., & Barley, S. (2001). Technology and institutions: what can research on information technology and research on organizations learn from each other? MIS Quarterly, 25(2), 145–165. Pinch, T. (2008). Technology and institutions: living in a material world. Theory and Society, 37, 461–483. Posthumus, S., & von Solms, R. (2004). A framework for the governance of information security. Computers & Security, 23(8), 638–646. Saldaña, J. (2009). The coding manual for qualitative researchers. London: Sage. Schultz, E. E., Proctor, R. W., Lien, M.-C., & Salvendy, G. (2001). Usability and security: an appraisal of usability issues in information security methods. Computers & Security, 20(7), 620–634. Scott, W. R. (2008). Approaching adulthood: the maturing of institutional theory. Theory and Society, 37, 427–442. Seidman, I. (1998). Interviewing as qualitative research: a guide for researchers in education and the social sciences (2nd ed.). New York: Teachers College Press. Siponen, M.T., & Willison, R. (2007). A critical assessment of IS Security research between 1990–2004. In H. Österle, J. Schelp & R. Winter (Eds.), Proceedings of the 15th European Conference on Information Systems (pp.1551–1559), St. Gallen, Switzerland. Straub, D. W., Goodman, S., & Baskerville, R. L. (2008). Framing the information security process in modern society. In D. W. Straub, S. Goodman, & R. L. Baskerville (Eds.), Information security policies, processes and practices (pp. 5–12). Armonk: ME Sharpe, Inc. Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: security planning models for management decision making. MIS Quarterly, 22(4), 441–469. The Institute of Internal Auditors. (2010). Global Technology Audit Guide (GTAG®) 15 Information Security Governance The Institute of Internal Auditors (IIA), USA: Paul Love, James Reinhard, A. Schwab & George Spafford. Thomson, K.-L., & Von Solms, R. (2005). Information security obedience: a definition. Computers & Security, 24(1), 69–75.

354 Thornton, P., & Ocasio, W. (1999). Institutional logics and the historical contingency of power in organizations: executive succession in the higher education publishing industry, 1958–1990. American Journal of Sociology, 105(3), 801–843. Thornton, P. H., & Ocasio, W. (2008). Institutional logic. In R. Greenwood, C. Oliver, K. Sahlin, & R. Suddaby (Eds.), The SAGE Handbook of Organizational Institutionalism (pp. 99–129). London: Sage. Thornton, P. H., Ocasio, W., & Lounsbury, M. (2012). The institutional logics perspective, a new approach to culture, structure and process. Oxford: Oxford University Press. Tsoumas, V., & Tryfonas, T. (2004). From risk analysis to effective security management: towards an automated approach. Information Management & Computer Security, 12(1), 91–101. Vermeulen, C., & von Solms, R. (2002). The information security management toolbox—taking the pain out of security management. Information Management & Computer Security, 10(3), 119–125.

S. Williams et al. Von Solms, B. (2001). Corporate governance and information Security. Computers & Security, 20(3), 215–218. Von Solms, B. (2005). Information security governance: COBIT or ISO 17799 or both? Computers & Security, 24, 99–104. Von Solms, B., & Von Solms, R. (2005). From information security to…business security. Computers & Security, 24, 271–273. Walsham, G. (1993). Interpreting information systems in organizations. Chichester: Wiley. Warkentin, M., & Johnston, A. C. (2008). In D. W. Straub, S. Goodwin, & R. L. Baskerville (Eds.), Information security, policy, processes, and practices (pp. 46–68). USA: ME. Sharpe, Inc. Xue, Y., Liang, H., & Boulton, W. R. (2008). Information technology governance in information technology investment decision processes: the impact of investment characteristics, external environment and internal context. MIS Quarterly, 32(1), 67–96.